Skip to main content

Cesanta Mongoose CVE-2026-11404

| EUVDEUVD-2026-42605 HIGH
Out-of-bounds Read (CWE-125)
2026-07-09 VulnCheck GHSA-cvgj-gr8r-q762
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Single unauthenticated ClientHello reaches the TLS parser (AV:N/AC:L/PR:N/UI:N); impact is a crash only, so C:N/I:N/A:H with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 16:26 vuln.today

DescriptionCVE.org

Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.

AnalysisAI

Denial of service in Cesanta Mongoose before 7.22 lets a remote, unauthenticated attacker crash any TLS service (HTTPS, MQTTS, or WSS) built on the MG_TLS_BUILTIN stack by sending a single crafted TLS ClientHello whose session_id_len byte is used as an unvalidated buffer index, triggering an out-of-bounds read. The flaw sits in the built-in TLS server handshake function mg_tls_server_recv_hello() and requires no authentication or user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed TLS listener
Delivery
Craft ClientHello with oversized session_id_len
Exploit
Send single handshake packet
Execution
Trigger out-of-bounds read in mg_tls_server_recv_hello()
Impact
Crash HTTPS/MQTTS/WSS service (DoS)

Vulnerability AssessmentAI

Exploitation The target must run a TLS server endpoint (HTTPS, MQTTS, or WSS) built with Mongoose's built-in TLS stack (MG_TLS_BUILTIN) on a version before 7.22; the only prerequisite is network reachability of that TLS listener. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is network-reachable, low-complexity, unauthenticated, and requires no user interaction - an attacker only needs to reach the TLS listener. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed embedded device serving HTTPS, MQTTS, or WSS via Mongoose's built-in TLS, then sends a single crafted TLS ClientHello whose session_id length byte exceeds the received data length. The malformed handshake causes mg_tls_server_recv_hello() to read past the receive buffer and crash the service, denying availability with one unauthenticated packet; no public POC is currently identified but the trigger is trivial to reproduce.
Remediation Vendor-released patch: 7.22 - upgrade the Mongoose library to 7.22 or later and rebuild/redeploy any firmware or service that embeds it (release: https://github.com/cesanta/mongoose/releases/tag/7.22; fixing commit c288ac1f38424ffdd4d2fd5e1893fd4962642db3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all systems and applications running Cesanta Mongoose and document their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-23061 CRITICAL POC
9.0 Jan 15

Mongoose ODM for Node.js before version 8.9.5 contains a search injection vulnerability when using $where filters with p

CVE-2017-2894 CRITICAL POC
9.8 Nov 07

An exploitable stack buffer overflow vulnerability exists in the MQTT packet parsing functionality of Cesanta Mongoose 6

CVE-2017-2891 CRITICAL POC
9.8 Nov 07

An exploitable use-after-free vulnerability exists in the HTTP server implementation of Cesanta Mongoose 6.8. Rated crit

CVE-2017-2922 CRITICAL POC
9.8 Nov 07

An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.

CVE-2017-2921 CRITICAL POC
9.8 Nov 07

An exploitable memory corruption vulnerability exists in the Websocket protocol implementation of Cesanta Mongoose 6.8.

CVE-2023-3696 CRITICAL POC
9.8 Jul 17

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. Rated critical severity (CVSS 9.8), this vu

CVE-2022-2564 CRITICAL POC
9.8 Jul 28

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. Rated critical severity (CVSS 9.8), this vu

CVE-2019-19307 CRITICAL POC
9.8 Nov 26

An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infin

CVE-2024-53900 CRITICAL POC
9.1 Dec 02

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. Rated critical severity (CVSS 9.1

CVE-2021-26530 CRITICAL POC
9.1 Feb 08

The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compiled with OpenSSL support) is vulnerable to remote OO

CVE-2021-26529 CRITICAL POC
9.1 Feb 08

The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable

CVE-2021-26528 CRITICAL POC
9.1 Feb 08

The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is vulnerable to remote OOB write attack via connect

Share

CVE-2026-11404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy